Bug#1101007: regression: gpg --edit-key clean removes signature that was kept in 2.2.45

[Uwe Kleine-König]

Hello,

On Fri, Mar 21, 2025 at 06:43:19PM +0100, Uwe Kleine-König wrote:
> Package: gnupg
> Version: 2.2.46-5
> Severity: normal
> X-Debbugs-Cc: uklei...@debian.org
> 
> Hello,
> 
>       uwe@taurus:~$ keyringgpghome="$(mktemp -d)"
> 
>       uwe@taurus:~$ gpg --homedir "$keyringgpghome" --locate-external-key 
> tgamb...@baylibre.com u.kleine-koe...@baylibre.com
>       gpg: keybox '/tmp/tmp.U5pMuWLasg/pubring.kbx' created
>       gpg: /tmp/tmp.U5pMuWLasg/trustdb.gpg: trustdb created
>       gpg: key E2DCDD9132669BD6: public key "Uwe Kleine-König 
> <u.kleine-koe...@baylibre.com>" imported
>       gpg: Total number processed: 1
>       gpg:               imported: 1
>       gpg: no ultimately trusted keys found
>       gpg: key B0D589D46708EC99: public key "Trevor Gamblin 
> <tgamb...@baylibre.com>" imported
>       gpg: Total number processed: 1
>       gpg:               imported: 1
>       gpg: no ultimately trusted keys found
>       pub   rsa4096 2010-06-15 [SC] [expires: 2027-06-21]
>             0D2511F322BFAB1C1580266BE2DCDD9132669BD6
>       uid           [ unknown] Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub   rsa2048 2023-03-17 [A] [expires: 2027-06-21]
>       sub   rsa2048 2023-03-17 [S] [expires: 2027-06-21]
>       sub   rsa2048 2023-03-17 [E] [expires: 2027-06-21]
> 
>       pub   rsa4096 2024-11-19 [C] [expires: 2026-11-19]
>             A3A9D4BDAB1069811F48D30EB0D589D46708EC99
>       uid           [ unknown] Trevor Gamblin <tgamb...@baylibre.com>
>       sub   cv25519 2024-11-19 [E]
>       sub   ed25519 2024-11-19 [S]
>       sub   ed25519 2024-11-19 [A]
> 
>       uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon 
> E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
>       
> pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
>       uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe 
> Kleine-König <u.kleine-koe...@baylibre.com>:::::::::1742578410:4 
> https\x3a//openpgpkey.baylibre.com:
>       sig:::1:B0D589D46708EC99:1732894509::::Trevor Gamblin 
> <tgamb...@baylibre.com>:10x::A3A9D4BDAB1069811F48D30EB0D589D46708EC99:::10:
> 
> So my key E2DCDD9132669BD6 has a signature by Trevor's key.
> 
>       uwe@taurus:~$ gpg --homedir "$keyringgpghome" --edit-key 
> E2DCDD9132669BD6 clean save
>       gpg (GnuPG) 2.2.46; Copyright (C) 2024 g10 Code GmbH
>       This is free software: you are free to change and redistribute it.
>       There is NO WARRANTY, to the extent permitted by law.
> 
> 
>       pub  rsa4096/E2DCDD9132669BD6
>            created: 2010-06-15  expires: 2027-06-21  usage: SC
>            trust: unknown       validity: unknown
>       The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa2048/DB334D9FBE6A05BF
>            created: 2015-01-11  revoked: 2023-03-17  usage: A
>       The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa4096/3C3A2D28B94A2928
>            created: 2010-06-15  revoked: 2015-01-11  usage: E
>       The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa2048/C1FC1478ADCAEC09
>            created: 2015-01-11  revoked: 2023-03-17  usage: S
>       sub  rsa2048/B29A43280A6EF95B
>            created: 2023-03-17  expires: 2027-06-21  usage: A
>       sub  rsa2048/8F80FB587D12FE4E
>            created: 2023-03-17  expires: 2027-06-21  usage: S
>       sub  rsa2048/120E75698E64909B
>            created: 2023-03-17  expires: 2027-06-21  usage: E
>       The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa2048/F2FF566A57C91BC7
>            created: 2015-01-11  revoked: 2023-03-17  usage: E
>       [ unknown] (1). Uwe Kleine-König <u.kleine-koe...@baylibre.com>
> 
>       User ID "Uwe Kleine-König <u.kleine-koe...@baylibre.com>": 7 signatures 
> removed
> 
>       pub  rsa4096/E2DCDD9132669BD6
>            created: 2010-06-15  expires: 2027-06-21  usage: SC
>            trust: unknown       validity: unknown
>       The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa2048/DB334D9FBE6A05BF
>            created: 2015-01-11  revoked: 2023-03-17  usage: A
>       The following key was revoked on 2015-01-11 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa4096/3C3A2D28B94A2928
>            created: 2010-06-15  revoked: 2015-01-11  usage: E
>       The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa2048/C1FC1478ADCAEC09
>            created: 2015-01-11  revoked: 2023-03-17  usage: S
>       sub  rsa2048/B29A43280A6EF95B
>            created: 2023-03-17  expires: 2027-06-21  usage: A
>       sub  rsa2048/8F80FB587D12FE4E
>            created: 2023-03-17  expires: 2027-06-21  usage: S
>       sub  rsa2048/120E75698E64909B
>            created: 2023-03-17  expires: 2027-06-21  usage: E
>       The following key was revoked on 2023-03-17 by RSA key E2DCDD9132669BD6 
> Uwe Kleine-König <u.kleine-koe...@baylibre.com>
>       sub  rsa2048/F2FF566A57C91BC7
>            created: 2015-01-11  revoked: 2023-03-17  usage: E
>       [ unknown] (1). Uwe Kleine-König <u.kleine-koe...@baylibre.com>
> 
>       uwe@taurus:~$ gpg --homedir "$keyringgpghome" --list-sigs --with-colon 
> E2DCDD9132669BD6 | grep -E '(^pub|^uid|B0D589D46708EC99)'
>       
> pub:-:4096:1:E2DCDD9132669BD6:1276614694:1813572000::-:::scESCA::::::23:1742578410:4:
>       uid:-::::1739887646::7E218F31504E286A852C2E05459BA0DC22FF34AE::Uwe 
> Kleine-König <u.kleine-koe...@baylibre.com>:::::::::1742578410:4 
> https\x3a//openpgpkey.baylibre.com:
> 
> So "clean"ing my key removed Trevor's signature.

To expand the set of affected sample data: If you do the above and import the
keys for
        u.kleine-koe...@baylibre.com
        khil...@baylibre.com
        mkorpersh...@baylibre.com
        dlech...@baylibre.com
        tgamb...@baylibre.com

cleaning the first four keys removes (only) all the signatures by Trevor.

The kernel pgp keyring has some more examples it seems:

        git clone https://git.kernel.org/pub/scm/docs/kernel/pgpkeys.git
        cd pgpkeys
        keyringgpghome="$(mktemp -d)"
        gpg --homedir "$keyringgpghome" --import keys/*.asc
        gpg --homedir "$keyringgpghome" --export > keyring-2.2.46
        gpg --homedir "$keyringgpghome" --export --export-options export-clean 
> keyring-2.2.46-clean

and repeating the same with gpg 2.2.45, I get:

        $ ls -lS keyring-*
        -rw-rw-r-- 1 uwe uwe  8705354 Mar 24 16:39 keyring-2.2.45
        -rw-rw-r-- 1 uwe uwe  8705354 Mar 24 16:37 keyring-2.2.46
        -rw-rw-r-- 1 uwe uwe  8199427 Mar 24 16:40 keyring-2.2.45-clean
        -rw-rw-r-- 1 uwe uwe  8162407 Mar 24 16:37 keyring-2.2.46-clean

The cleaned keyring exported by 2.2.46 is considerably smaller, so
2.2.46 cleaned more aggressively. Looking at the output of

        diff -u <(gpg --list-packets keyring-2.2.45-clean | grep "issuer key" | 
sort) <(gpg --list-packets keyring-2.2.46-clean | grep "issuer key" | sort)

there are differences in both directions (i.e. signatures that are only
removed by 2.2.45 and others that are only removed by 2.2.46). At least
that is my interpretation given there are + and - lines. I didn't try to
inspect the data to judge for each difference which version of gnupg is
correct.

Best regards
Uwe

signature.asc
Description: PGP signature